google-site-verification: googlebaca44933768a824.html DLL Injection - Old Royal Hack Forum

Announcement

Collapse
No announcement yet.

DLL Injection

Collapse
X
Collapse
 
  • Page of 1
  • Filter
  • Time
  • Show
Clear All
new posts
Previous template Next
    #1

    DLL Injection

    Hello,

    I've made a simple injector and a very simple DLL. I tried to inject the DLL in both Notepad and Notepad++. However Notepad just doesn't show the messagebox and Notepad++ crashes when I inject it.

    Injector:
    main.cpp
    Code:
    #include <cstdio>
#include <windows.h>
#include <tlhelp32.h>

DWORD GetProcessIdByName(char * procName);

int main()
{
	char dllName[] = "NotepadHack.dll";

	printf("DLL Injector\n");
	printf("____________\n");
	printf("\n");
	printf("Openening process notepad++.exe...\n");

	HANDLE hProcess = NULL;
	hProcess = OpenProcess(PROCESS_ALL_ACCESS, FALSE, GetProcessIdByName("notepad++.exe"));

	if(hProcess == NULL)
	{
		printf("Process could not be opened.\n");
		getchar();
		return 1;
	}
	
	printf("Process opened successfully.\n");

	getchar();

	printf("Injecting DLL...\n");

	LPVOID pLibAddress = GetProcAddress(GetModuleHandle("Kernel32.dll"), "LoadLibraryA");
	LPVOID pDllAddress = VirtualAllocEx(hProcess, NULL, sizeof(dllName), MEM_RESERVE | MEM_COMMIT, PAGE_READWRITE);
	WriteProcessMemory(hProcess, pDllAddress, dllName, sizeof(dllName), NULL);

	CreateRemoteThread(hProcess, NULL, 0, (LPTHREAD_START_ROUTINE)&pLibAddress, pDllAddress, 0, NULL);

	printf("DLL injected successfully.\n");

	printf("Closing process handle...\n");
	CloseHandle(hProcess);

	getchar();
	return 0;
}


DWORD GetProcessIdByName(char * procName)
{
	PROCESSENTRY32 entry;
	DWORD procID = -1;

	HANDLE hSnapshot = CreateToolhelp32Snapshot(TH32CS_SNAPPROCESS, 0);

	if(Process32First(hSnapshot, &entry) == TRUE)
	{
		do
		{
			if(stricmp(entry.szExeFile, procName) == 0)
			{
				procID = entry.th32ProcessID;
			}
		}while(Process32Next(hSnapshot, &entry) == TRUE);
	}

	CloseHandle(hSnapshot);

	return procID;
}
    DLL:
    main.cpp
    Code:
    #include <windows.h>

BOOL APIENTRY DllMain(HINSTANCE hModule,
					DWORD fdwReason,
					LPVOID lpReserved)
{
	switch(fdwReason)
	{
	case DLL_PROCESS_ATTACH:
		{
			MessageBox(NULL, "Hello World!", "Hack", 0);
		}break;
	}
}
    I'm using Windows 7 but I run as administrator.

    Thanks
    Tags: None
    #2
    you need debug-rights
    I 0x90 you!

    Comment

      #3
      Originally posted by aVitamin View Post
      you need debug-rights
      Thanks

      Comment

        #4
        When I modified the injector to have debug-rights it also failed. This is my code right now:
        Code:
        #include <cstdio>
#include <windows.h>
#include <tlhelp32.h>

DWORD GetProcessIdByName(char * procName);
int SetPrivilege(HANDLE hToken, LPCSTR lpszPrivilege, BOOL bEnablePrivilege);
void HandleError(int errorCode);

enum PRIVILEGE_ERRORCODES
{
	LOOKUP = 1,
	ADJUST_NOT_SUCCESS,
	ADJUST_NOT_ALL_SUCCESS,
};


int main()
{
	char dllName[] = "NotepadHack.dll";

	printf("DLL Injector\n");
	printf("____________\n");
	printf("\n");
	printf("Openening process notepad.exe...\n");

	HANDLE hProcess = NULL;
	HANDLE hToken = NULL;

	OpenProcessToken(hProcess, TOKEN_ADJUST_PRIVILEGES | TOKEN_QUERY, &hToken);

	int error = -1;
	if((error = SetPrivilege(hToken, SE_DEBUG_NAME, TRUE)) != 0)
	{
		HandleError(error);
		return 1;
	}
	hProcess = OpenProcess(PROCESS_ALL_ACCESS, FALSE, GetProcessIdByName("notepad.exe"));

	if(hProcess == NULL)
	{
		printf("Process could not be opened.\n");
		getchar();
		return 1;
	}
	
	printf("Process opened successfully.\n");

	getchar();

	printf("Injecting DLL...\n");

	LPVOID pLibAddress = GetProcAddress(GetModuleHandle("Kernel32.dll"), "LoadLibraryA");
	LPVOID pDllAddress = VirtualAllocEx(hProcess, NULL, sizeof(dllName), MEM_RESERVE | MEM_COMMIT, PAGE_READWRITE);
	WriteProcessMemory(hProcess, pDllAddress, dllName, sizeof(dllName), NULL);

	CreateRemoteThread(hProcess, NULL, 0, (LPTHREAD_START_ROUTINE)&pLibAddress, pDllAddress, 0, NULL);

	printf("DLL injected successfully.\n");

	printf("Closing process handle...\n");
	CloseHandle(hProcess);

	getchar();
	return 0;
}


DWORD GetProcessIdByName(char * procName)
{
	PROCESSENTRY32 entry;
	DWORD procID = -1;

	HANDLE hSnapshot = CreateToolhelp32Snapshot(TH32CS_SNAPPROCESS, 0);

	if(Process32First(hSnapshot, &entry) == TRUE)
	{
		do
		{
			if(stricmp(entry.szExeFile, procName) == 0)
			{
				procID = entry.th32ProcessID;
			}
		}while(Process32Next(hSnapshot, &entry) == TRUE);
	}

	CloseHandle(hSnapshot);

	return procID;
}

int SetPrivilege(HANDLE hToken, LPCSTR Privilege, BOOL bEnablePrivilege)
{
	TOKEN_PRIVILEGES pe;
	LUID Luid;

	if(!LookupPrivilegeValue(NULL, Privilege, &Luid))
		return LOOKUP;
	
	pe.PrivilegeCount = 1;
	pe.Privileges[0].Luid = Luid;
	pe.Privileges[0].Attributes = SE_PRIVILEGE_ENABLED;
	
	if(AdjustTokenPrivileges(hToken, FALSE, &pe, 0, NULL, 0) != 0)
	{
		if(GetLastError() != ERROR_SUCCESS)
			return ADJUST_NOT_ALL_SUCCESS;
	}
	else
		return ADJUST_NOT_SUCCESS;
}

void HandleError(int errorCode)
{
	switch(errorCode)
	{
	case LOOKUP:
		{
			printf("Error %d: The privilegevalue lookup was not successful.", errorCode);
		}break;
	case ADJUST_NOT_SUCCESS:
		{
			printf("Error %d: The adjustment was not succesful.", errorCode);
		}break;
	case ADJUST_NOT_ALL_SUCCESS:
		{
			printf("Error %d: The adjustment was not entirely succesful.", errorCode);
		}break;
	default:
		{
			printf("Error %d: Invalid error code.", errorCode);
		}break;
	}
	getchar();
}
        And the error code I got was 2 (ADJUST_NOT_SUCCESS).

        Comment

          #5
          What you use for compiling? I tried making loader with VC2K8 and it always failed to enable debug privileges. Didnt examine it any further (might be just some linker options) but same code compiled with VC2K3 always managed to enable em ... sorry i didnt even look at your code now since im just leaving but just asking out of curiosity. :p
          lolmaoman: Germans are born with a lifetime x22 login engraved into their birth certificates. True story.
          I DONT HAVE TEAMVIEWER AND IM NOT GOING TO GIVE ANY 24/7 ONLINE SUPPORT VIA STEAM, XFIRE OR OTHER IM PROGRAMS SO DONT BOTHER ASKING. THANKS.

          Comment

            #6
            Originally posted by mencore View Post
            What you use for compiling? I tried making loader with VC2K8 and it always failed to enable debug privileges. Didnt examine it any further (might be just some linker options) but same code compiled with VC2K3 always managed to enable em ... sorry i didnt even look at your code now since im just leaving but just asking out of curiosity. :p
            Thanks for the reply, but I found it :D. I accidentally gave hProcess as the first argument for the OpenProcessToken function, which was a NULL value. I replaced the argument with GetCurrentProcess() and now SetPrivilege works fine. But after DLL injection Notepad still doesn't do anything and Notepad++ still crashes.

            Comment

            Previous template Next
            Working...
            X

            We process personal data about users of our site, through the use of cookies and other technologies, to deliver our services, personalize advertising, and to analyze site activity. We may share certain information about our users with our advertising and analytics partners. For additional details, refer to our Privacy Policy.

            By clicking "I AGREE" below, you agree to our Privacy Policy and our personal data processing and cookie practices as described therein. You also acknowledge that this forum may be hosted outside your country and you consent to the collection, storage, and processing of your data in the country where this forum is hosted.

            I Agree